Directory Tiers, Instances and Roles

Enterprises require directory services as part of the information technology (IT) infrastructure that supports naming, locating, discovering, describing, authenticating, and managing identities and resources within an enterprise network or IT environment. Because IT applications and infrastructure systems have tended to implement directory services in functional silos, most enterprises own and operate an excess of directory systems and are seeking to consolidate their many application-specific directories into fewer instances of multipurpose directories. To accomplish consolidation, however, planners must first understand their directory requirements in terms of existing IT infrastructure and application tiers, and then they must identify the roles that directory services must play within or across those tiers.

Directory services are important building blocks for the enterprise’s identity management (IdM) architecture and must be carefully planned to meet the requirements of each constituency that applications serve. IdM data such as attributes, policies, and processes is stored in directory repositories, which will be consumed by identity infrastructure components. Therefore, efficient and effective security services rely on well-structured and well-organized directory services.

Directory architects should begin by distinguishing between directory tiers, roles, and instances, as illustrated in Figure 1. A directory tier reflects the level of enterprise infrastructure at which the directory operates and the level of security it must adhere to. Externally facing or mission-critical business-line applications are often considered first-tier applications, whereas departmental NOS servers are considered third-tier applications. A directory instance is an independent directory service, usually with a contiguous namespace running on one or more servers that operates within a directory tier. Finally, a directory role refers to the types of applications that a directory supports. For example, a directory in the consumer directory role typically stores information and preferences for retail customers.